Rules excluded from DAST scans should not execute
Problem to solve
Rules in DAST can be excluded using the DAST_EXCLUDE_RULES
environment configuration. Internally, this changes the risk level associated with the ZAP alert to False Positive. This ensures that vulnerabilities are not added for the rule.
A limitation of this approach is that the rule always executes, even though there it will create no vulnerabilities. This takes up unnecessary resources and time to execute the DAST scan. It creates confusion for users as the DAST log mentions that the rule passes.
Intended users
Proposal
Another approach should be identified to exclude rules. Rules should be completely excluded to ensure that they are never executed. One potential for this is to use ZAP Scan Policies.
Permissions and Security
Documentation
Availability & Testing
What is the type of buyer?
Implementation Plan
- DAST Python should query the ZAP API (
self.zap.[a/p]scan.scanners
) to find which rules are passive, and which are active. - Passive scan rules that are to be excluded can be excluded using global filters, which is how they currently work.
- Active scan rules that are to be excluded in a normal website scan should to the file called
/home/zap/.ZAP_D/policies/Default Policy.policy
. Non-API Active scans in DAST use this policy for scanning, so this will exclude these rules. - Active scan rules that are to be excluded in a normal website scan should to the file called
/home/zap/.ZAP_D/policies/API-Minimal.policy
. API Active scans in DAST use this policy for scanning, so this will exclude these rules.
Giving this a weight of 2
.
Example Policy
The content of a policy file should look something like the following. In the following example, active scan rules 10045
and 10048
have been disabled:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<policy>Default Policy</policy>
<scanner>
<level>MEDIUM</level>
<strength>MEDIUM</strength>
</scanner>
<plugins>
<p10045><enabled>false</enabled><level>OFF</level></p10045>
<p10048><enabled>false</enabled><level>OFF</level></p10048>
</plugins>
</configuration>